Received: by 2002:a05:6358:3188:b0:123:57c1:9b43 with SMTP id q8csp1280999rwd; Tue, 16 May 2023 14:50:44 -0700 (PDT) X-Google-Smtp-Source: ACHHUZ6q0PAYJM1vyFWWyBmjySyKPfNj/yo9xyjtLFgtkZoZ+JZ5Be4ZRhI14s4zc/9MDRvZoXjD X-Received: by 2002:a17:903:32c2:b0:1aa:e938:3ddf with SMTP id i2-20020a17090332c200b001aae9383ddfmr50370212plr.7.1684273843751; Tue, 16 May 2023 14:50:43 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1684273843; cv=none; d=google.com; s=arc-20160816; b=qNwFhcKY54265TlmSsq363/KjuOGKEgnSMbe0Ea4U+dMoaDM/DoAzB9UothaKbuVqR iEqEnws/7B9WLvmKd2lcrpeITWDxkJdt2JMPNBGF37HHORZ3h1ziR23Zs+z4xq1xbu0n RBJPpmxwPV1gNPIp+rNmdBDw3lfkZIu1gP7GQOSKkHhygLE6V6J1rMBnN5VBmHzzIFot Akei6V1Nn5cyXrF4+vlzQ4kSQiohnBVNsM5GQqvl3psnbQQWef9xVy76nFry6+y0FP6N jOoPgOQp4Y84jZnrM0UbnD5oUbS1VSn69t7tXpUBT1Ej2hHkt3T53uJ9uN9IdCLKnSyl W6wQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:in-reply-to:content-disposition:mime-version :references:message-id:subject:cc:to:from:date:dkim-signature; bh=RCVWP5n6K6Lz8z9J8Ai6uKS353zWFJSSAzmmvd1zqIs=; b=R4NnsaPPxs7ToMQXXu+F/jaC0Ail5f6hlMqPJqZOPoSp4+X95px8BcQDW/xGvbRfxN 30G5DO530fUpz5iY7ZhKkzNRj4RdvbHg5CPiJi3YqMjT0CJvU7SaDM6UwQSjlBS+jnrZ 16P0js5hcXMmXwZ4XmwuGMvZ24XKcBEMJmVVTDFi4DUnrZ7XMLGYxJBK0YUKrclHNFc4 thAhPORZs6WYS1Bds8AEubxpD6vCeoo+jzULTdyaUJDmIAKHVZLYK50PMttEU17E11eP XsbkBNL2JU1+lexZJRK2cCvZNNHQdcK/OlyJq/3h13jlisfM7EAxT/ZqdCat0rQF6DwX hF9g== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@infradead.org header.s=casper.20170209 header.b="jQsyxEv/"; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id p6-20020a170902bd0600b001ae32141610si2789825pls.59.2023.05.16.14.50.31; Tue, 16 May 2023 14:50:43 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@infradead.org header.s=casper.20170209 header.b="jQsyxEv/"; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229957AbjEPVrX (ORCPT + 99 others); Tue, 16 May 2023 17:47:23 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:59414 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229456AbjEPVrV (ORCPT ); Tue, 16 May 2023 17:47:21 -0400 Received: from casper.infradead.org (casper.infradead.org [IPv6:2001:8b0:10b:1236::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 9F6B41FD6; Tue, 16 May 2023 14:47:19 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=infradead.org; s=casper.20170209; h=In-Reply-To:Content-Type:MIME-Version: References:Message-ID:Subject:Cc:To:From:Date:Sender:Reply-To: Content-Transfer-Encoding:Content-ID:Content-Description; bh=RCVWP5n6K6Lz8z9J8Ai6uKS353zWFJSSAzmmvd1zqIs=; b=jQsyxEv/DJGXrls9lt3TGGtEWt WuFts7yqMOf5gyWydkkSKxLYQHXNrlHzF7TQ3F7DjIEqAQNneOhFt7afCCK7ByTcp7XYaHQGWWIRy VJBECcQLadjtrDov24LH4TUxbuEfKpCJwl77Udyc4QK/eCvDZm542DtwjkojwH6HZPuD+GfbwkC7L T/+mPaFm0xQzAwJiPd6DiH/iEylw9JWjCJKsB95mwzcGihE33us1vI6EZ0TW2RQDxQwKQ1jgH7Bef ynhhNOJj/OWpkej/BrBnb6vKgffjM7AuV1DrkAHTooY20eeVhrJ+EauXx3dtP8hgJmY6GDplzDld8 ymR+uepg==; Received: from willy by casper.infradead.org with local (Exim 4.94.2 #2 (Red Hat Linux)) id 1pz2Vl-004aWL-6z; Tue, 16 May 2023 21:47:13 +0000 Date: Tue, 16 May 2023 22:47:13 +0100 From: Matthew Wilcox To: Kent Overstreet Cc: Kees Cook , Johannes Thumshirn , "linux-kernel@vger.kernel.org" , "linux-fsdevel@vger.kernel.org" , "linux-bcachefs@vger.kernel.org" , Kent Overstreet , Andrew Morton , Uladzislau Rezki , "hch@infradead.org" , "linux-mm@kvack.org" , "linux-hardening@vger.kernel.org" Subject: Re: [PATCH 07/32] mm: Bring back vmalloc_exec Message-ID: References: <20230509165657.1735798-1-kent.overstreet@linux.dev> <20230509165657.1735798-8-kent.overstreet@linux.dev> <3508afc0-6f03-a971-e716-999a7373951f@wdc.com> <202305111525.67001E5C4@keescook> <202305161401.F1E3ACFAC@keescook> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: X-Spam-Status: No, score=-4.4 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_MED,SPF_HELO_NONE, SPF_NONE,T_SCC_BODY_TEXT_LINE,URIBL_BLOCKED autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Tue, May 16, 2023 at 05:20:33PM -0400, Kent Overstreet wrote: > On Tue, May 16, 2023 at 02:02:11PM -0700, Kees Cook wrote: > > For something that small, why not use the text_poke API? > > This looks like it's meant for patching existing kernel text, which > isn't what I want - I'm generating new functions on the fly, one per > btree node. > > I'm working up a new allocator - a (very simple) slab allocator where > you pass a buffer, and it gives you a copy of that buffer mapped > executable, but not writeable. > > It looks like we'll be able to convert bpf, kprobes, and ftrace > trampolines to it; it'll consolidate a fair amount of code (particularly > in bpf), and they won't have to burn a full page per allocation anymore. > > bpf has a neat trick where it maps the same page in two different > locations, one is the executable location and the other is the writeable > location - I'm stealing that. How does that avoid the problem of being able to construct an arbitrary gadget that somebody else will then execute? IOW, what bpf has done seems like it's working around & undoing the security improvements. I suppose it's an improvement that only the executable address is passed back to the caller, and not the writable address. > external api will be: > > void *jit_alloc(void *buf, size_t len, gfp_t gfp); > void jit_free(void *buf); > void jit_update(void *buf, void *new_code, size_t len); /* update an existing allocation */ >